Reading time ~10min
Earlier last week, a newly identified ransomware affected several computer systems around Europe.
The new strain of ransomware dubbed as ‘Bad Rabbit’ spreading primarily in Russia, Ukraine, Turkey, and Germany is utilising one of the leaked NSA’s exploits leaked by WikiLeaks earlier this year. According to several malware researchers and subsequent analysis, an NSA exploit (EternalRomance) was used to distribute itself and move across the network.
Cybersecurity firm Kaspersky Lab was monitoring the malware and compared it to the WannaCry and Petya attacks that caused so much chaos earlier this year.
Despite early reports that there was no use of NSA’s exploits in this week’s crypto-ransomware outbreak, research released by Cisco Talos suggested that the ransomware worm known as ‘Bad Rabbit’ did, in fact, use a stolen Equation Group exploit revealed by Shadowbrokers to spread across victims’ networks. The attackers used the EternalRomance-like exploit to bypass the security mechanisms but there were no signs of the DoublePulsar backdoor or any shellcode that takes advantage of the Server Message Block (SMB) file-sharing also known a Common Internet File System (CIFS) operating on the application-layer network protocol. This enables the remote execution of instructions on Windows clients and servers. BadRabbit closely follows an open-source Python implementation of a Windows exploit (MS17-010) that used EternalRomance (and another Equation Group tool, EternalSynergy), leveraging the same methods revealed in the Shadowbrokers code release. ExPetr/NotPetya was also leveraging this exploit.
Key Points of Bad Rabbit
- Affects Windows OS.
- Distributes through a fake Adobe Flash Update (install_flash_player.exe) that requires confirmation by the user.
- Attempts to distribute itself via SMB and WMIC.
- Binary similarities with ExPetr/NotPetya.
- Uses compromised websites to deliver dropper (drive-by download).
- Infpub.dat is the main DLL file, cscc.dat is the legitimate file used for disk encryption and dispci.exe which installs boot-locker and communicates with the driver.
- Executable dispci.exe uses legitimate disk encryption module from DiskCryptor.
- Doesn’t delete Shadow Copies.
Bad Rabbit vs Petya (ExPetr, NotPetya etc.)
Below is a comparison Table between Petya and BadRabbit malware families:
Once the victim is infected by Bad Rabbit ransomware, victim’s traffic is directed to a Tor-hidden website where a ransom of 0.05 Bitcoin (~ £220) is demanded to decrypt victim’s data. If the ransom is not paid within approximately 42 hours, the cost of decrypting your data is increased to a further. The ransom message, a red font on a black background, appears to be very similar to the one used in the NotPetya attacks earlier this June.
NotPetya was targeting primarily Russia and Ukraine with the vast majority of infections occurring in Ukraine, but some big names in the West had also suffered. International advertising conglomerate WPP was taken offline, global law firm DLA Piper was infected, pharmaceutical Merck was busted up, and, most worryingly, shipping behemoth Maersk warning of a worldwide outage that could seriously bork the global transport supply chain. Computer terminals in major ports were down for hours by the malware.
According to Kaspersky Labs initial analysis, “No exploits were used, so the victim would have to manually execute the malware dropper, which pretends to be an Adobe Flash installer. We’ve detected a number of compromised websites, all of which were news or media websites“.
On the other hand, ESET security researchers, have detected Bad Rabbit ransomware threat as “Win32/Diskcoder.D” which is a new variant of the Petya malware family. Petya malware variant is also known as Petrwrap, NotPetya, exPetr and GoldenEye.
Analysis & Propagation Mechanisms
Looking at the downloaded file named install_flash_player.exe, we can see that the digital signatures are being signed by the Symantec Corporation and not Adobe Systems Incorporated as a legitimate flash player executable. Nowadays, this is done by malware authors to avoid AntiVirus systems from detecting malware threats while also attempting to bypass any security mechanisms. Malware authors do not even need to control a code signing certificate. Instead, they simply copy an Authenticode signature from a legitimate file to their malware sample.
The downloaded file named install_flash_player.exe needs to be manually launched by the user. Bad Rabbit ransomware needs elevated administrative privileges and therefore will attempt to obtain using the standard User Account Control (UAC) prompt as per below. UAC is NOT turned off by default on Windows to avoid such risks. However, if you have turned off UAC then it will run without seeing the UAC prompt. Other types of malware might disable HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System by setting the value of EnableLUA to 0 to bypass such mechanisms.
After the install_flash_player.exe is executed, it will save the malicious DLL as C:\Windows\infpub.dat and launch it using rundll32.
Infpub.dat appears to be capable of brute-forcing NTLM login credentials to Windows machines that have pseudo-random IP addresses. It’s worth mentioning that the default Windows Authentication protocol nowadays is Kerberos, however, if that default authentication fails, Windows will use NTLM challenge/response mechanism instead. NT LAN Manager is the default authentication protocol used in Windows NT and in Windows 2000 workgroup environments. Windows Server 2003, Windows XP, and Windows 2000 use an algorithm called Negotiate (SPNEGO) to negotiate which authentication protocol is used.
Infpub.dat will also install the malicious executable dispci.exe into C:\Windows and will schedule a task as NotPetya did before that will reboot the system once the infection and compromise phases complete. This will also allow persistence when communicating with the driver for encryption. It will then act as a typical file-encrypting ransomware by finding victim’s data files using an embedded extension list and encrypts them using the criminal’s public RSA-2048 key. The executable dispci.exe appears to be derived from the code base of the legitimate utility DiskCryptor. It acts as the disk encryption module which also installs the modified bootloader and prevents the normal boot-up process of the infected machine.
Bad Rabbit ransomware threat has capabilities of moving laterally across a network and is capable of brute-forcing NTLM login credentials. It comes with a predefined hardcoded credential list and Mimikatz.
Bad Rabbit bears similarities to the WannaCry and Petya outbreaks earlier this year as illustrated above. It has spread like a wildfire around Europe and has already affected over 200 major organisations, primarily in Russia, Ukraine, Bulgaria, Turkey, and Germany.
According to ESET’s telemetry, Russia accounts 65% of the total number of times we have seen the dropper component of Bad Rabbit ransomware threat (numbers will most likely increase as we go forward). The statistics are as follows:
The following indicators are associated with this incident:
Description: Mimikatz (32-bit)
Description: Mimikatz (64-bit)
Payment site: http://caforssztxqzf2nm[.]onion
Inject URL: http://185.149.120[.]3/scholargoogle/
Distribution URL: hxxp://1dnscontrol[.]com/flash_install.php
Additional Domains associated with Bad Rabbit (i.e. compromised site, C2):
Initially, DO NOT PAY THE RANSOM!
The encryption scheme being utilised by the ransomware is a typical AES-128 CBC mode and RSA-2048 as the criminal’s public key with an exponent of 65537. The exponent 65537 on RSA is often used for performance reasons during the encryption/verification phase as any higher exponent would make the public RSA operation much slower. The encryption and hashing algorithms used in BadRabbit appeared to be the same ones used in ExtPetr ransomware.
According to Kaspersky Labs, the full list of embedded hashes of the process names are the following:
Luckily, Bad Rabbit is not a wiper as with the ExtPetr/NotPetya that victims were unable to decrypt the Master File Table (MFT) that was initially encrypted with the GoldenEye ransomware family component. Unfortunately, user’s that are affected by Bad Rabbit ransomware, will be unable to decrypt their files without the threat actor’s RSA-2048 private key that is used since the symmetric encryption keys are securely generated on the ransomware side.
On the other hand, Kaspersky Labs has found a flaw in the code of dispci.exe. The malware doesn’t wipe the generated password from the memory, which means that there is a slim chance to extract it before the dispci.exe process terminates if you haven’t rebooted your machine.
Finally, it appeared that shadow copies (aka Volume Snapshot Service) are not being deleted by the ransomware during and after encryption. Therefore, if you had enabled and configured the volume shadow copy option on your Windows volumes, you might be lucky enough to get back your encrypted files.
Disable WMI service to prevent malware spread over the network, block execution of files such as C:\Windows\infpub.dat, C:\Windows\cscc.dat. Ensure you stay vigilant when opening unsolicited emails containing documents or clicking on embedded links as they will also be copycat style attacks out there.
Consider creating the dropped files infpub.dat and cscc.dat in C:\Windows\ path with modified permissions to prevent the ransomware from executing.
Monitor/block as necessary from the above-mentioned Primary and Secondary IOC list.
Note: The section is updated at regular intervals* with relevant information needed to provide you further countermeasures so as to limit and prevent any exposure to this threat as much as possible.
* You can check the (Last Updated On: “Date”) at the beginning of the post to see when the post was last updated.
If you have any questions, comments, corrections, or suggestions for improvement, please don’t hesitate to leave us some feedback in the Comments section below.
 Bad Rabbit ransomware: https://securelist.com/bad-rabbit-ransomware/82851/
 Bad Rabbit: Not-Petya is back with improved ransomware: https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/